longhorn: read oauth2-proxy secrets from vault

infrastructure/longhorn/ui-ingress/kustomization.yaml

@@ -2,6 +2,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - serviceaccount.yaml
+  - oauth2-proxy-longhorn.yaml
   - middleware.yaml
   - ingress.yaml
-  - oauth2-proxy-longhorn.yaml

infrastructure/longhorn/ui-ingress/oauth2-proxy-longhorn.yaml

@@ -32,7 +32,18 @@ spec:
     metadata:
       labels:
         app: oauth2-proxy-longhorn
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "longhorn"
+        vault.hashicorp.com/agent-inject-secret-oidc-config: "kv/data/atlas/longhorn/oauth2-proxy"
+        vault.hashicorp.com/agent-inject-template-oidc-config: |
+          {{- with secret "kv/data/atlas/longhorn/oauth2-proxy" -}}
+          client_id = "{{ .Data.data.client_id }}"
+          client_secret = "{{ .Data.data.client_secret }}"
+          cookie_secret = "{{ .Data.data.cookie_secret }}"
+          {{- end -}}
     spec:
+      serviceAccountName: longhorn-vault
       nodeSelector:
         node-role.kubernetes.io/worker: "true"
       affinity:
@@ -50,6 +61,7 @@ spec:
           imagePullPolicy: IfNotPresent
           args:
             - --provider=oidc
+            - --config=/vault/secrets/oidc-config
             - --redirect-url=https://longhorn.bstein.dev/oauth2/callback
             - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas
             - --scope=openid profile email groups
@@ -69,22 +81,6 @@ spec:
             - --skip-jwt-bearer-tokens=true
             - --oidc-groups-claim=groups
             - --cookie-domain=longhorn.bstein.dev
-          env:
-            - name: OAUTH2_PROXY_CLIENT_ID
-              valueFrom:
-                secretKeyRef:
-                  name: oauth2-proxy-longhorn-oidc
-                  key: client_id
-            - name: OAUTH2_PROXY_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: oauth2-proxy-longhorn-oidc
-                  key: client_secret
-            - name: OAUTH2_PROXY_COOKIE_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: oauth2-proxy-longhorn-oidc
-                  key: cookie_secret
           ports:
             - containerPort: 4180
               name: http

infrastructure/longhorn/ui-ingress/serviceaccount.yaml

@@ -0,0 +1,6 @@
+# infrastructure/longhorn/ui-ingress/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: longhorn-vault
+  namespace: longhorn-system

services/vault/scripts/vault_k8s_auth_configure.sh

@@ -107,6 +107,8 @@ write_policy_and_role "crypto" "crypto" "crypto-vault-sync" \
   "crypto/* harbor-pull/crypto" ""
 write_policy_and_role "health" "health" "health-vault-sync" \
   "health/*" ""
+write_policy_and_role "longhorn" "longhorn-system" "longhorn-vault" \
+  "longhorn/*" ""
 
 write_policy_and_role "sso-secrets" "sso" "mas-secrets-ensure" \
   "shared/keycloak-admin" \